I’m running Start9 OS on a Lenovo M910q and recently came across information that Microsoft certificates will expire in June 2026. From what I understand, this could affect computers worldwide — potentially preventing them from booting unless updates are released in time or Secure Boot is disabled.
My questions are:
Do I need to manually renew these certificates when running Start9 OS, or is this unnecessary?
Would simply disabling Secure Boot now be a safe workaround?
Has anyone already looked into how Start9 OS will handle this situation?
This actually already affects computers which have had the latest version of Windows installed in the last year prior to installing StartOS (the shim which 0.3.5.1 uses has a signature which was deprecated by Microsoft in the August 2024 cumulative update).
My guess is that StartOS 0.4.0 (currently in Alpha testing) will ship with a shim that has the latest Microsoft signature. I’ll see if Start9 has posted anything about this though, to make sure it is on their radar.
Anyway, I wouldn’t be concerned about it yet, until we see what Start9 does with 0.4.0. If it doesn’t ship with an updated shim, then yes you would probably want to start looking at disabling Secure Boot sometime between now and next June. This is a relatively safe workaround, since I believe the vulnerability that disabling Secure Boot opens up could only be realisticialy exploted by someone with physical access to your server.
Hmm… I’m not impressed with StuPleb’s response. He seems to think that disabling SecureBoot is a typical step on a DIY install (which it certainly is not… why else would they ship StartOS with the Microsoft-signed shim?)
I’ll pull together some technical details and continue the discussion over there to see if I can convince them that this should be on their TODO list for 0.4.0. They are going to continue to lose market share to Umbrel if they ignore little quality-of-life UX items like this.